Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

need to get the correct cacert.pem for AWS on CentOS boxes #325

Closed
jtimberman opened this issue Feb 24, 2015 · 2 comments
Closed

need to get the correct cacert.pem for AWS on CentOS boxes #325

jtimberman opened this issue Feb 24, 2015 · 2 comments

Comments

@jtimberman
Copy link

On CentOS, we download the cacert.pem bundle from the curl project.

The problem with this is explained in this mailing list post: http://curl.haxx.se/mail/archive-2014-10/0062.html

This manifests itself on CentOS when using Package Cloud for yum repositories, where, on the 5.11 box, it fails because SSL can't verify the certificate. Package Cloud has a valid SSL certificate, but their repositories are backed by AWS S3, so there's a redirect that happens, and SSL verification fails.
jtimberman pushed a commit to chef-boneyard/chef-server-ingredient that referenced this issue Feb 24, 2015
add CentOS 5.11 to test matrix
8c5d73b 
This commit adds CentOS 5.11 to the test matrix. This requires working
around a bug in the bento box where the cacert.pem bundle doesn’t have
the VeriSign certificates that AWS uses.

chef/bento#325

This workaround is applied as a recipe in the test cookbook because it
may not be necessary for end users who may not have that certificate
bundle.
@juliandunn
Copy link
Contributor

I'm actually a little 👎 entirely on the overwriting of cacert.pem in ks.cfg (which blows away the vendor-maintained cacert.pem from the openssl package), so I might remove it and see what happens. I originally thought it was in order to make the cert chain work for the Vagrant insecure public key, but we're retrieving that over plain HTTP anyway due to CentOS 5's inability to understand SSL SNI as utilized by GitHub.

#318 also mentions this.

@juliandunn juliandunn mentioned this issue Feb 24, 2015
Closed
@jtimberman
Copy link
Author

I'll work up a PR for testing that removes these from the various ks.cfg's.

@jtimberman jtimberman mentioned this issue Feb 24, 2015
Merged
juliandunn added a commit that referenced this issue Feb 24, 2015
@juliandunn
Merge pull request #328 from chef/jtimberman/use-default-ca-bundle
8f09552 
Fixes #325, #318 - don't download cacert.pem
legal90 added a commit to legal90/bento that referenced this issue Nov 24, 2015
@legal90
Merge commit '8f09552fff04535f8f57e3ab423d45784fad1313' into prl-custom
b24e3e3 
* commit '8f09552fff04535f8f57e3ab423d45784fad1313':
  Fixes chef#325, chef#318 - don't download cacert.pem
  change mirror to http.debian.net, fixes chef#322
  Fix minor typo in vm_name.
  update to debian 7.8
  Added links to Fedora 21 boxes
  Update to Ubuntu 14.04.1. Fixes chef#290
  Change company domain name to chef.io
  Update travis.yml for opscode to chef org rename
  Added Fedora 21 VB base boxes to README
  Remove EOL Fedora 19 content
  Fedora 19 is EOL as of January 6, 2015. https://lists.fedoraproject.org/pipermail/announce/2015-January/003248.html
  Make script zypper-locks.sh workable

Conflicts:
	packer/debian-7.8-amd64.json
	packer/debian-7.8-i386.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't overwrite the vendor cacert.pem. juliandunn/bento
2 participants
@jtimberman @juliandunn